Record Detail Back
Implementing an Effective Risk Appetite
- Share to:
If strategy is doing the right things whereas operations is doing things right, then risk management is
the capability of doing both effectively under uncertainty. Organizations face uncertainty in many forms.
In addition to strategic and operational risks, they face financial, legal/compliance, and reputational
risks. Enterprise risk management (ERM) is a global, widely accepted approach to identifying, assessing,
measuring, and managing the key risks faced by an organization, including the critical interdependencies
between the risks.1
During the global financial crisis of 2008, many companies around the world were caught off guard
by unknown risks or under-reported risk exposures embedded in their businesses. Moreover, the
financial losses and economic impact were magnified by the systemic risks associated with financial
counterparties, business partners, and macroeconomic and intercountry linkages. In the aftermath,
governments and regulators have imposed much higher regulatory standards and capital requirements.
As a result, corporate boards and executives have accelerated their investments in ERM.
An integral part of ERM is the development of key risk metrics, exposure limits, and governance and
oversight processes to ensure enterprise-wide risks are within acceptable and manageable levels. A
best-practice approach to addressing these requirements is to implement a clearly defined risk appetite
statement (RAS). Corporate directors who are ultimately responsible for overseeing the risk management
of their companies recognize this need. According to a 2013-2014 National Association of Corporate
Directors (NACD) survey, only 26% of companies have a defined risk appetite statement.2
An RAS provides a framework for the board of directors and management to address some fundamental
questions with respect to strategy, risk management, and operations, including:
➢ What are the strategies for the overall organization and individual business units? What are the
key assumptions underlying those strategies?
➢ What are the significant risks and aggregate risk levels that the organization is willing to accept
in order to achieve its business objectives? How do we establish governance structures and risk
management policies to oversee and control these risks?
➢ How do we assess and quantify the key risks so that we can monitor our exposures and key trends
over time? How do we establish the appropriate risk tolerances given our business objectives,
profit and growth opportunities, and regulatory requirements?
➢ How do we integrate our risk appetite into strategic and tactical decision making in order to
optimize our risk profile?
➢ How do we establish an ERM feedback loop and provide effective reporting to the board
and senior management?
This Statement on Management Accounting (SMA) provides board members, corporate executives, and
the risk, compliance, and audit professionals who support them with a set of guidelines, best practices,
and practical examples for developing and implementing an effective RAS framework. Moreover, a
maturity model is provided to help an organization assess its current state of RAS implementation, with
useful benchmarks included for further development. The SMA will discuss:
• Requirements of a risk appetite framework, including key concepts and definitions.
• Developing an RAS, including implementation steps and ongoing refinement.
• Roles and responsibilities of the board, senior management, and business and operating units.
• Monitoring and reporting processes, including linkages between the RAS metrics at different levels
of the organization.
• A practical example of an RAS with illustrative metrics and risk tolerance levels by key risks.
• An RAS maturity model that provides benchmarks to support self-assessment and benchmarking.
A well-developed RAS has the following attributes: (1) It is a key element of the overall ERM framework;
(2) it is aligned with the business strategy and expressed with quantitative risk tolerances; (3) it reinforces
the organization’s desired risk culture; and (4) it produces better risk-adjusted business performance, thus
enhancing the organization’s reputation with its key stakeholders. Figure 1 provides an overview with
these key attributes and the linkages between ERM, risk appetite, risk culture, and reputation.